https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
l
Don't use the root user. Especially not for Pulumi.
The root user should be used for recovering after a disaster, like losing the credentials of an admin user. And pretty much nothing else.
s
Yep, this is certainly not for production 🙂
l
Important
We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User. For a tutorial on how to set up an administrator for daily use, see Creating your first IAM admin user and user group.
✅ 1
w
Ideally, create an iam role - with the required perms - and assume the role, which can be passed as a parameter to the aws provider.
l
Root user doesn't generally assume roles. I've never even tried.. why assume role as a root user, I can already do everything?
It's the restricted IAM user that needs to assume roles. And should.
Your (Pulumi's) AWS profile / env vars shouldn't be the root creds.
w
Oh I don't mean to use the root user at all. Create another user and an iam role that the user should assume.
b
@sparse-tomato-5980 you used to be able to create access keys for the root user but I don't know if you still can. It used to be in a separate section to IAM, I think in root account settings in the dropdown in the top right. If you could, you don't need to add any IAM roles / policies as the root user has access to everything anyway.
Open in Slack
PreviousNext
Powered by